A look at how cybercriminals are turning QR codes into credential traps (qr code phishing)—and what businesses can do to reduce exposure.

A familiar tool is being weaponized

QR codes have become a routine part of daily business. They’re used for contactless check-ins, payment processing, document access, and marketing materials. But the convenience that makes QR codes so widely adopted also makes them exploitable.

Threat actors are now embedding malicious links in QR codes—both in emails and in physical materials like posters, mailers, and fake notices. The goal is simple: direct users to a spoofed login page that captures their credentials, often under the guise of document sharing, payment confirmation, or identity verification.

What makes QR-based phishing effective

Unlike traditional phishing emails, QR code attacks don’t contain visible links or attachments. Users scan them with personal mobile devices, which often lack corporate security tools. This bypasses many of the protections in place on company-managed desktops and laptops.

Attackers rely on urgency, familiarity, and poor verification habits. A code may appear in a building lobby, a parking ticket, a service renewal notice, or even as a response to a job application. These tactics exploit environments where people are least likely to question what they’re scanning.

How businesses can reduce risk

Organizations should begin by educating staff on QR-related risks. Employees should be taught to avoid scanning codes from unfamiliar or unverified sources, especially those urging immediate action.

IT teams can take further steps by restricting access to personal devices on the corporate network and reviewing how QR codes are used in internal processes, signage, and customer-facing materials.

In environments with mobile device management (MDM), policies can be configured to scan or isolate web activity initiated from QR codes. For highly targeted industries—legal, healthcare, finance—physical security and visual signage policies should be reviewed, especially in shared or public-facing spaces.

The threat is low-tech in appearance but high-impact in execution. Training and operational vigilance are key.

Have questions? Contact us. We’re happy to help.

By Thomas McDonald
Vice President

A closer look at how credential theft is reshaping BEC attacks and what businesses need to do now to stay ahead.

Attacks are no longer limited to spoofed emails

Business Email Compromise (BEC) used to rely on tricking users with fake invoice requests or urgent emails from impersonated executives. While those tactics still exist, the landscape is shifting.

Attackers are increasingly using infostealer malware—lightweight programs that quietly extract saved browser credentials, cookies, and tokens. Once installed, even briefly, these tools give attackers access to real email accounts, often without triggering alarms.

The result is a growing wave of BEC attacks that don’t spoof anyone—they use actual inboxes.

What’s happening behind the scenes

Infostealer logs are bought and sold on dark web marketplaces. They include usernames, passwords, session cookies, and autofill data harvested from infected machines—often without detection. Once attackers gain access to a business email account, they monitor conversations, create hidden inbox rules, and impersonate internal stakeholders or vendors to redirect payments or initiate fraudulent transfers. These messages originate from real accounts, making them far harder to detect than traditional spoofing attempts.

Why this matters now

The surge in infostealer use has created a supply chain of compromise: initial infection, credential resale, and ultimately a targeted BEC attack. Many businesses discover the problem only after money is lost, a vendor relationship is damaged, or legal exposure surfaces.

Traditional email security filters don’t stop this. Once credentials are stolen, attackers bypass filtering entirely by logging in directly. While multifactor authentication (MFA) can help, inconsistent enforcement and token-based session hijacking can reduce its effectiveness.

What organizations should do next

Organizations should begin by enforcing MFA across all cloud platforms and user accounts. Endpoint tools should be in place to detect infostealer activity, such as unauthorized file access or suspicious outbound connections. It’s also important to review mailbox rules for any unexpected forwarding or folder manipulation, and to disable legacy protocols like IMAP and POP3, which are often exploited in these attacks.

Teams should also consider monitoring for dark web exposure or working with vendors who alert them when their credentials appear in breach data. The earlier a compromise is detected, the better the chances of avoiding a full-blown attack.

A timely guide to the most pressing cyber threats and how to respond with clarity, speed, and operational readiness.

AI-driven deception is the new frontline

Cyber adversaries are now using generative AI to craft realistic phishing emails, deepfake videos, and voice-based social engineering scams. These tactics are designed to exploit trust and bypass traditional filters.

Businesses should implement advanced email threat protection that uses behavior-based detection, train staff to verify requests through secondary channels, and review voice authentication protocols for sensitive tasks.

Infostealers are quietly stealing credentials

Malware strains like Lumma and RedLine are actively stealing browser-stored passwords, email logins, and financial credentials. These tools often remain undetected and are widely sold on underground markets.

Endpoint protection should be configured to detect command-and-control communication and data exfiltration patterns. Credential audits and forced password resets should be scheduled after any suspected compromise.

Ransomware is more targeted—and more public

Double extortion is now standard: threat actors encrypt data, then threaten to release it. This approach is increasingly used against professional services firms, healthcare providers, and mid-sized enterprises.

Organizations must maintain immutable backups, review which systems can communicate laterally across the network, and ensure response plans include legal, public relations, and client communication strategies.

Supply chain attacks remain a blind spot

Third-party vendors continue to be exploited as an entry point into larger organizations. Attackers compromise one supplier and move upstream, making vendor risk management a security priority.

Businesses should maintain inventories of all third-party access points, require vendors to meet minimum security standards, and segment supplier systems wherever possible.

By Thomas McDonald
Vice President